Apparently, there were shenanigans from investors/creditors. So the company got quietly carved up instead of going through a bankruptcy auction.

I'm looking forward to the eventual investigational report.

BTW, the company was Natron Energy.

Just wait until you find out about hydrogen sulfide from overcharged car batteries.

Also, I think HCN can be scrubbed by adding a special absorptive cap onto the battery.

Just remember, the US Na-Ion battery startup died last year with _products_ _in_ _warehouses_ just because it couldn't get a UL certification. All it needed was a bridge loan.

And the government did nothing.

DNSSEC is not dangerous. Pretty much the worst thing is breakage, not an accidental compromise.

It's also more secure, compared to ACME. An on-path attacker can impersonate the site operator and get credentials. DNSSEC is immune to that.

Yes, and it'd be great if DNSSEC added an "advisory" signature level. So it can be deployed without doing a leap of faith.

But let's not pretend that WebPKI is perfect. More than one large service failed at some point because of a forgotten TLS certificate renewal. And more than one service was pwned because a signing key leaked. Or a wildcard certificate turned out to be more wildcard than expected.

I understand the failures of DNSSEC and DNS in general. And we need to do something about it because it's really showing signs of its age as we continue to pile on functionality onto it.

I don't have an idea for a good solution for everything, but I just can't imagine us piling EVERYTHING onto WebPKI either.

When you shoot yourself in the foot with DNSSEC, you typically end up with a non-working setup.

The biggest problem is that DNS replies are often cached, so fixes for the mistakes can take a while to propagate. With Let's Encrypt you typically can fix stuff right away if something fails.

Sure. It's yet another advantage of doing True DANE. But it still requires DNS to be reliable for the certificate issuance to work, there's no way around it.

So why not cut out the middleman?

(And the answer right now is "legacy compatibility")